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Abstract 

Quantum cryptography is going to find practically useful applications. Recently some first 
quantum cryptographic solutions became available on the market. For clients it is important to 
be able to compare the quality and properties of the proposed products. To this end one needs 
to elaborate on specifications and standards of solutions in quantum cryptography. We propose 
and discuss a list of characteristics for the specification, which includes numerical evaluations 
of the security of solution and can be considered as a standard for quantum key distribution 
solutions. The list is based on the average time of key generation depending on some parameters. 
In the simplest case for the user the list includes three characteristics: the security degree e, the 
length of keys m and the key refresh rate R. 
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1 Introduction 

In 1984 Bennett and Brassard [1] proposed the first quantum key distribution (QKD) protocol, 
which was named BB84 later and on which most the present-day practical realizations of QKD are 
based [2-7]. In 1991 Eckert proposed a QKD protocol of another type (based on quantum entangle- 
ment) [8] which is called E91. There are also practical realizations of this type of protocols [9]. 

Recently the first commercial QKD systems [3,4] became available on the market. Some com- 
mercial, military and security institutions are interested in this new technology. In this connection, 
the questions about the concept of the security of QKD protocols and keys generated by them are 
crucial. 

As with any product the problem of elaborating on some standards and specifications of QKD 
systems arises: what kind of characteristics a producer have to include in the specification. The ne- 
cessity of the elaboration of some standards for the widespread deployment of quantum cryptography 
has been already pointed out in [10]. 

In this paper we propose and discuss a list of characteristics for the specification, which includes 
a numerical evaluation of the security of solution and can be considered as a standard for quantum 
key distribution solutions. The list is based on the average time of key generation depending on some 
parameters. 

In the simplest case for the user the list includes three characteristics: the security degree e, the 
length of keys m and the key refresh rate R. 

The paper is organized as follows. In Section 2 we remind some features of QKD. We give the 
comparison of the computational and information-theoretic (unconditional) approaches to cryptog- 
raphy, the notions of QKD protocol and keys security, a classification of adversary's attacks and 
some specific features of QKD. In Section 3 we discuss the problem of specification of QKD systems 
and propose a list of characteristics of these systems, which can be taken as a standard and which a 
producer has to indicate in the specification. 

For a review on quantum cryptography see, e.g., [11, 12]. 



In this section we discuss various properties of QKD which are relevant to specifications. 

2.1 Computational and information- theoretic approaches 

Two approaches are distinguished in cryptography depending on the nature of the assumptions 
about the adversary [13,14]. 

• Computational approach is proposed in [15] and based on the complexity of solving of some 
computational problems (such that, for example, factorization of the whole numbers or discrete 
taking the logarithm) and on the assumption that the adversary's computational power is 
bounded. However, as the adversary with the unbounded computational power can solve any 
such problem as quickly as he wish and, hence, break the cryptographic system, computational 
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security is always conditional. The risk that the security of a system in computational sense 
will be broken exists always because of the progress in the computer engineering (for example, 
in the engineering of quantum computers). 

• Information-theoretic approach originates in [16] and is based on the assumption that the 
information of the adversary is bounded. In quantum cryptography the adversary's information 
is bounded due to the uncertainty relations in quantum world. As there are no assumptions on 
the adversary's computational power, information-theoretic security is called unconditional and 
is more desirable. Theoretically, the adversary has no way to break an unconditionally-secure 
cryptographic system, even using infinite computing power. 

Most the present-day cryptographic protocols (for example, RSA) are based on the computational 
approach, namely, on the lack of effective algorithms for solution of NP-problems at present. Besides 
the weaknesses of the computational approach pointed out above, the fact that impossibility of the 
effective solving the NP-problems isn't proved is considered to be one more weakness of the present- 
day cryptosystems. If effective algorithms for solving NP-problems are found, most of the present-day 
cryptosystems will lose their security. 

2.2 Security of pair of keys 

The problem of key distribution is an important problem in cryptography. Two legal parties, Alice 
and Bob, want to get a pair of keys 1 (one key for Alice and another one for Bob) using communication 
channels. A realization of a certain random variable on a finite set /C, or this random variable itself 
is regarded as a key. A pair of keys is called perfectly secure if 

(i) they are uniformly distributed, 

(ii) they are identical, and 

(iii) a potential adversary (Eve) has no information about them. 

Accordingly, the adversary Eve aims, firstly, to get as much information about the keys as possible 
and, secondly, to make the Alice's and Bob's keys different. 

It is necessary to evaluate the security of the pair of keys. It is natural to define the insecurity of 
the pair of keys as the distance from the ideal pair of keys which is perfectly secure [17, 18]. Since 
the definition must be applicable to quantum cryptography, it must be given in terms of quantum 
states. Classical state (probability distribution) is a particular case of quantum state. Let Pr a k b be 
a joint distribution of Alice's key Ka and Bob's key K B . Let p be a quantum state which includes 
both the keys Ka and Kb, and Eve's (in general, quantum) information about these keys. Let Pideai 
be the state which corresponds to the ideal pair of keys. Then, the pair of keys (Ka, K b ) is called 
e-secure where e G [0, 1], if 

S(p, Pideai) <l-S. 

The number e we will call the security degree of the pair of keys. Here S(-, •) G [0, 1] is the distance 
measure between two quantum states. So, a pair of keys is as secure as e is closer to 1. A 1-secure pair 
of keys is perfectly secure. Note that this security is information-theoretic (unconditional), because 
there aren't any assumptions about Eve's computational power. 

See Appendix for the formal definition of the security degree of a pair of keys. Here we give some 
important properties of this definition. 

! In a number of papers it is said about one key, but we will say about two keys in order to emphasise that formally 
there are two different random values and, in general, the Alice's and Bob's keys don't coincide with each other. 
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• This definition of security is universally composable in sense of [19], which is important for the 
modern cryptographic protocols. 

• If the pair of keys is e-secure, then the probability P gue ss that the adversary guesses the keys 
(success probability) is bounded by (see [20] and [18]) 

1 guess — ~ ± c 

where |/C| is the number of elements in the set of keys /C. For example, the success probability 
of the e-secure n-bit pair of keys is bounded by 2~ n + 1 — e. If the pair of keys is perfectly 
secure, then the success probability is 1/|/C|, i.e., the adversary has no information and can 
only perform the completely random guessing from \)C\ elements. 

• The fact that the pair of keys is ^-secure can be interpreted as that the pair is perfectly secure 
with the probability e. 

So, this definition is both useful, because it is universally composable, and obvious, because it 
is related to the adversary's success probability and the probability that the pair is perfectly 
secure. 

• If the pair of keys (K\K\, K^K^) which is get by concatenation of two pairs (K\, K^) and 
(K\, Kg) is e-secure, then both the pairs [K\, K l B ) and (K\, K^) are also e-secure. The same 
is hold for the concatenation of arbitrary number of pairs of keys. So, we can divide pairs of 
keys into shorter pairs of keys with the same degree of security. 

2.3 QKD protocol 

A practical quantum cryptography system with two legal parties (Alice and Bob) is a pair of 
hardware devices (Alice's hardware device and Bob's one). These devices are connected with each 
other by a quantum channel (mostly by optical fiber) and a classical channel (e.g., Ethernet or optical 
fiber), and each of the devices is attached to the corresponding (Alice's or Bob's) computer. It is 
clear that for operation of these devices the software is necessary. 

So, in the most general case a quantum cryptography protocol (with two legal parties) is a pair 
of programs (algorithms) for a pair of computers which interact with each other by quantum and 
classical channels using special hardware devices. Besides the commands of a usual programming 
language, these programs must contain the additional commands for the hardware devices (lasers, 
detectors etc.) management. 

Key distribution is one of the problems which can be solved by quantum cryptography. In QKD, 
in contrast to other applications of quantum cryptography, besides the legal parties there is also 
the adversary Eve. She also has a computer with an attached hardware device which allows Eve 
to eavesdrop the channels and to change the messages transmitting through them. So, in essence, 
the adversary's attack is a program for her computer with a special hardware. For a more formal 
discussion see, e.g., [21,22]. 

The QKD protocols usually include the following steps. 

1. Photons transmission. Alice transmits to Bob a certain number of photons through the quantum 
channel in the states that she chooses from a certain set. Her choices are unknown to Eve. Eve 
can perform different operations on the transmitted photons. Bob measures these photons in 
the bases that he also chooses from a certain set. His choices are also unknown to Eve. 
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2. Test. Alice and Bob estimate a certain measure of Eve's interference by analysing the data 
transmitted and received through the quantum channel and communicating through the clas- 
sical (public) channel. For BB84-type protocols the quantum bit error rate (QBER) plays the 
role of the measure of Eve's interference. In E91-type protocols the level of violation of Bell's 
inequality plays the role of this measure. Using the estimated value of this measure they esti- 
mate Eve's information about the data. If the estimation of Eve's information exceeds a certain 
bound, then Alice and Bob go to step 3. If not, they go to step 4. This analysis is based on the 
property of quantum world: the measurement of the quantum system changes the state of this 
system, so it is impossible for Eve to get information by measuring the transmitted photons 
without introducing the noise in them. 

3. Decision about the further course of the protocol. The negative result on step 2 may be caused 
by both Eve's influence and statistical fluctuations. Alice and Bob may end the execution of 
the protocol, or return to step 1 and run the cycle once again. 

4. Classical postprocessing of the quantum data. Alice and Bob perform the certain classical 
procedures by communicating through the classical (public) channel which allow them to correct 
errors, to reduce Eve's information and so, to get a pair of keys with the desirable security 
degree. 

On steps 2-4 Eve taps the classical channel and, may be (see the next subsection), actively 
intercept the classical communication of Alice and Bob. 

In this way, one gets the quantum state p which includes the Alice's and Bob's keys Ka and Kb, 
and Eve's information about them, see the previous subsection. 

In some cases, steps 3 and 4 can be omitted. For example, in [23] another approach to quantum 
cryptography is proposed. But there is also the same sequence: photon transmission, then test. 

Note the following features of QKD protocols: 

• Probability that Eve guess all Alice's and Bob's choices during the photon transmission step 
is negligibly small, but not zero. In this case, Eve will have full information about the keys. 
On the other hand, privacy amplification procedure on step 4 can reduce Eve's information to 
arbitrary small amount, but not to zero. So, a pair of keys generated by QKD system can't be 
perfectly secure. 

• It is possible that either Alice or Bob, or both of them retract the key distribution (see step 
3). This is possible even in case of no eavesdropping, but noisy quantum channel: if there are 
too many errors due to the natural noise in the quantum channel (this can happen with some 
nonzero probability), Alice and Bob could think that there is an eavesdropper and retract the 
key distribution. In order to reduce this probability (i.e., to reduce the statistical fluctuations), 
Alice have to send more photons to Bob, which has an effect on the time of key generation (see 
subsection l3~4^) . 

2.4 Classification of the adversary's attacks 

When we speak about the security degree of the pair of keys which is generated by the key 
distribution protocol, we must point out the class of adversary's attacks relative to which the pair of 
keys has the declared security degree. We consider the following classification. 

I. By the degree of mastering of quantum technologies by the adversary. 
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(i) Incomplete mastering of quantum technologies. Besides the laws of quantum mechanics, 
there are other restrictions on the adversary's operations on the photons transmitted 
through the quantum channel. For example, the adversary can perform only individual 
attacks, or the adversary can't perform the beam-splitting attack [11]. 

(ii) Complete mastering of quantum technologies. During the photons transmission the ad- 
versary can perform with these photons any operations that are allowed by quantum 
mechanics. 

II. By the authenticity of the classical channel. 

(i) Authentic classical channel. The adversary can freely tap the classical channel, but can't 
change and interrupt the messages sent by the legal parties, and send other messages. So, 
the adversary has read access, but hasn't write access to the classical channel. In case this 
assumption, the authenticity of the channel must be provided by technology. 

(ii) Unauthentic classical channel. The adversary can not only freely tap the classical channel, 
but also change and interrupt the messages sent by the legal parties, and send her messages 
to Alice and Bob. So, the adversary has read and write access to the classical channel. In 
this case, the authenticity of the channel in the protocol must be provided by mathematics. 
Generally speaking, it is more preferable, if the classical channel isn't assumed to be 
authentic, but the technological methods of providing with the authenticity can be in 
more effective some cases from the viewpoint of other parameters of the QKD system 
(e.g., one can avoid the key degradation problem - see subsections 12 .5| EP1 and ET3|) . 

III. By the adversary's computing power. 

(i) Adversary has limited computing power. 

(ii) Adversary has unlimited computing power. 

We should make a remark about the limitation of the computing power. Assumption about 
the adversary's computing power can be applied for using the public-key methods (e.g., 
digital signatures) as a mathematical method of authentication of the classical channel. 
In this case, the security of the pair of keys generated by the protocol, generally speaking, 
isn't unconditional. But there is an advantage over the public-key cryptosystems, which is 
noticed in [24]. In public- key cryptosystems, even if the adversary hasn't unlimited com- 
puting power now, in future, when unlimited computing power probably will be available, 
she can calculate the secret key using the public key and so, break the cryptosystem. 
In case of the use of public-key methods for authentication in the QKD protocol, if the 
adversary hasn't enough computing power now, it is useless to have unlimited computing 
power later. So, one can say that, in general, such a pair of keys is unconditionally-secure 
against future attacks. 

Accordingly, the most general class of attacks is the case when the adversary has complete master- 
ing of quantum technologies and unlimited computing power, and the classical channel is unauthentic. 

This classification is rather rough, more precise classifications, e.g., specifications of adversary's 
mastering of quantum technologies (if it is incomplete) and computing power (if it is limited), are 
possible. The intermediate authenticity degrees of the classical channel, e.g., the case when the 
adversary can send her messages, but can't change and interrupt other messages (it is realistic in 
radio communication), are also possible. 
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2.5 Key degradation problem 

One more significant problem in quantum cryptography is the key degradation problem, which 
is considered in [17]. 

In case of unauthentic classical channel and unlimited Eve's computing power, Alice and Bob 
have to use the unconditional message authentication codes (MAC), and for that they have to have 
a common key, or, as shown in [25], at least correlated random variables about which Eve hasn't 
complete information. A portion of each of the generated keys must be kept for the next session, 
where it will be used as the initial key (for authentication). However, the obtained pair of keys is not 
perfectly secure. So, with every run of the QKD protocol Alice and Bob obtain less and less secure 
keys. 

Hence, after a number of runs of QKD protocol Alice and Bob need to obtain a new pair of keys 
not by QKD protocol. We will call these keys and source that generates them and deliver to Alice 
and Bob external. So, in this case, Alice and Bob need to have an external source of keys. 

If the classical channel is authentic, then it's not necessary to have an external pair of keys. 
If the channel is unauthentic, but the Eve's computing power is limited, then Alice and Bob can 
use public-key methods for authentication, e.g., digital signatures. In this case, they need to have 
an external initial key only at the beginning for the announcement of the first public key. Then a 
portions of public and secret keys is used for the authentication of the current message, and another 
portion - for the authentication of the announcement of the next public key. In this case we have no 
problem of key degradation. 

The initial pair of keys can be used not only for the authentication [23] . 

3 Specifications of QKD systems 

3.1 Questions to the producers of QKD systems 

At present first commercial QKD systems come into the market [3,4]. They provide specifications 
which include physical, environmental an some other characteristics of the QKD systems. Note that 
for the commercial QKD systems the length of keys m and the key refresh rate R are indicated 
(m = 256 bits, R = 100 times/second) [3,4]. In specifications and descriptions of these systems some 
important from practical point of view information is lacking. One asks the following questions: 

(i) How secure can be pair of keys that the user obtain using these systems? 

(ii) Against which class of attacks are these systems secure? 

(iii) Is the key degradation problem taken into account? 

Concerning the security it is claimed that the keys generated by the commercial QKD systems 
are absolutely secure. It is not clear what does it mean. As we have said above, the security degree e 
of the pair of keys generated by the QKD protocol can't be equal to 1, i.e., the pair of keys can't be 
perfectly secure in this sense. We suggest that such important characteristic as the security degree 
of the pair of keys should be indicated in the specification. 

These questions are important since one of the declared advantages of quantum cryptography over 
the conventional one is the availability of rigorous proofs and estimations (see also discussion in [23]). 
So, the lack of the rigorous numerical estimations of the security is a retreat from the original idea 
of quantum cryptography. Certainly, any security estimation is relative: the adversary can perform 
an attack which is not concerned directly with the operations on the transmitted photons, i.e., 
which isn't taken into account by the mathematical formalism (the examples of such attacks see, 
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e.g., in [11]). However, the rigorous numerical security estimations in assumption that adversary's 
operations satisfy the declared class of attacks, in our opinion, are necessary. The estimation of the 
real security can be obtained only when numerous various attacks on the practical QKD systems are 
carried out. So, we need an army of "quantum hackers" (see [10]). 

Besides, the following general principle of cryptography is known [26,27]: any statement about the 
security of a cryptographic scheme demand the precise specification of values of all of its parameters, 
and often even a small deviation from the established values completely destroys the security of the 
system. 

3.2 Maximal measure of Eve's interference and Success probability 
in case of no eavesdropping 

In subsection 12.31 it was said about the measure of Eve's interference (QBER for BB84-type 
protocols and the level of violation of Bell's inequality for E91-type protocols). This measure is 
denoted by M. 

In [28] the notion of secrecy capacity of the classical broadcast channel was introduced. This is an 
analogue of Shannon's channel capacity for the case of the presence of an eavesdropper: besides the 
required transmission rate it is demanded in the definition of secrecy capacity that the eavesdropper 
has a negligibly small information. In [29] these ideas were extended for the case when in addition to 
the broadcast channel Alice and Bob can communicate also through the public channel. The notion 
of secret key rate was introduced there. 

A quantum channel with classical input (Alice's coding of classical bits into the quantum states) 
and classical output (Bob's and Eve's measurements) can be considered as a classical broadcast 
channel. So, in quantum cryptography we can also use the notion of secret key rate. But, in contrast 
to the classical models, in the quantum case the secret key rate S depends on Eve's activity. Alice 
and Bob can estimate it by estimating the measure of Eve's interference M, i.e., S = S(M). 

And there is a maximal value M max such that S(M) = 0, if M > M max , and S(M) > 0, if 
M < M max . For example, the maximal QBER for the BB84 protocol is known to be 11% [30]. 

This value M max is often used to characterize and compare different QKD protocols. Larger value 
of M max for a protocol means that this protocol is more robust against the natural noise (i.e., the 
noise when there is no eavesdropping) in the quantum channel. If M max is such that due to the 
natural noise the value of M estimated by Alice and Bob is more than M max with high probability, 
then this protocol cannot operate, since Alice and Bob would think that due to the eavesdropping 
they cannot generate a secret key, whereas there is no eavesdropping. 

Of course, M max is an important characteristic of a QKD protocol, but, in our opinion, it has the 
following drawbacks for the specification of QKD systems: 

• Secret key rate, as well as secrecy capacity and usually Shannon's channel capacity, is an 
asymptotic characteristic: it guarantees that it is possible to get a pair of keys with security 
degree arbitrarily close to one only for sufficiently large number of transmitted photons. But 
Alice and Bob have only finite number of transmitted photons on the step of test (see subsection 
12. 3|) . If they determine that this number is not enough to achieve the desired security degree 
with the given secret key rate, Alice can transmit more photons to Bob. But Eve can change 
her strategy of interception of the quantum channel and, hence, change the value of secret key 
rate during this second transmission. So, the satisfaction of the condition M < M max does not 
mean that the distribution of the pair of keys with the desired security degree is possible; 

• M max is not a universal characteristic of QKD protocol, since the different measures of Eve's 
interference are used in the different protocols; 
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• M max is a rather internal characteristic of QKD protocol. It is of the interest of the engineer 
who develops the QKD solution, but not of the engineer who develops further applications 
using the QKD solution or of the end-user. 

M max is not a measure of robustness of the protocol against Eve's attacks: if Eve wants to break 
the communication between Alice and Bob, she can always do it by making M greater than M max . 
M max is only a measure of robustness of the protocol against the natural noise. But then we can use 
the probability 

7 = Pr[M < M max \ no eavesdropping ] 

instead of M max . 7 is the probability that both Alice and Bob do not retract the key distribution in 
case of no eavesdropping. This parameter is both universal and suitable for users. We will call 7 the 
success probability in case of no eavesdropping. 

In fact, 7 depends on the number n of transmitted photons: Alice can send more photons in order 
to decrease the statistical fluctuations and hence to increase 7. But we do not write this dependence 
(like j(n)), because we consider 7 as an external parameter, which is set by the user (or it may 
be fixed - see subsection IH.4jl . and number of photons n as an internal parameter of the current 
operating of the QKD system, which is not of the interest of the user. So, the number of photons n 
depends on 7. And the computer program of QKD system determine the required number of photons 
72(7) for the given 7. 

3.3 The simplest specification of QKD parameters 

We propose to use the following three characteristics for the specification of QKD parameters of 
the system in the simplest case: 

• security degree e, 

• length of keys m, and 

• key refresh rate R. 

Here it is assumed that the security degree and the length of keys in the QKD system are fixed 
and in this sense this is the simplest case. If the user can vary e and m, then R = R(m, e) is a 
function depending on these parameters. A pair of keys which is longer or more secure requires more 
time for its generation, i.e., the smaller key refresh rate. 

But e and m are fixed for an individual launch of the QKD system. So, in all cases these parameters 
characterise the individual launch of the QKD system. 

Here it is also assumed that there is no key degradation problem here, i.e., the users don't have 
to have external keys. 

3.4 Functional engineering characteristics of QKD systems 

In this subsection we introduce functional characteristics of the QKD systems suitable for detailed 
specifications. 
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3.4.1 Average time of key generation 

For the functional description of QKD system we propose to use the average time of key generation 
T, if the QKD parameters (security degree, length of keys etc.) are fixed. The average time T describes 
the quality of the QKD system. Higher security requires the longer time of key generation. Note that 
the time T includes the times required for both photons transmission and classical computations. 
That's why we use the time instead of the number of photons for the description. We suppose that 
the time depends on the following parameters: 

(i) The desirable length of keys m 

(ii) The desirable security degree of keys e, < e < 1 

(iii) The desirable success probability in case of no eavesdropping (see subsections 12.31 and I3.2|) 7, 

< 7 < 1 

(iv) The length of the initial pair of keys m , m < m 

(v) The security degree of the initial pair of keys. e , < e < 1. 

So, the average time T is a function T = T(m, e, 7, mo, Eq). The average time T increases as m, 
e or 7 increase, or m or e decrease. T(m, e, 7, m , £0) = 00 is interpreted as an impossibility of 
key generation with the given parameters. Here it is assumed that the distance of the QKD system 
functioning is fixed. 



3.4.2 Key refresh rate and key generation rate 

The average time T describes the QKD system in details, but it depends on too many arguments. 
It is necessary to introduce functions which describes the QKD system not so detailed, but have 
less parameters. One of these characteristics is the key generation rate. In order to define the key 
generation rate properly we must analyse what information is needed for user. 

In the following we fix 7, say, 7 = 0, 99, and do not consider the dependence of the functional 
characteristics below on 7. Furthermore, for simplicity we at first consider the case when m = 
(no key degradation). So, the average time T depends only on two arguments: the desirable length 
of keys m and the desirable security degree of the pair of keys e. We will write T(m, e). 

The user is interested in the pair of values (m, e), i.e., he want to generate a pair of keys (only 
once or continuously) with the length m bits and the security degree e. And he want to know the 
time T(m,e) (is measured, e.g., in seconds) during which he can generate it. Or, equivalently, he 
want to know the key refresh rate 

R(m,e) 



T(m,e) 

(is measured in times/second), which is more common in specifications of key distribution systems. 
We must give the definition of the key generation rate so that the user knowing the key generation 
rate and the desirable parameters (m, e) could find (may be approximately) the key refresh rate. It 
is natural to define the key generation rate as 

~ m 

V(m, e) = — r = mR(m, e) 

T(m, e) 

(is measured in bits/second). But we want to eliminate the length m from the arguments of the key 
generation rate, because it is natural to define the key generation rate which depends on the security 
degree, but does not dependent on the length. We define the key generation rate as 

m 

V{e) = lim 



T(m, 
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(it is assumed that the limit, may be infinite, exists). 

Explain the introduced definition. Let (m, e) is the desired pair of parameters. 

V{e) 



T(m 00 ,e) 

where m.00 is a large number. Let = mn where n is some natural number. We divide the pair of 
keys with the length into n pairs of keys with the length m. The security of each of these shorter 
pairs is also e (see the properties of the security degree at the end of subsection l2.2|) . So, n pairs of keys 
with the length m and the security degree e are generated during the time T(m 00 ,e) « m 00 /V A (e). 
The key refresh rate is R{m,e) = n/T(m 00 ,e) V(e)/m. Thus, the user knowing (m,e) and V(e) 
can calculate the key refresh rate by the formula 

x V(e) 
R{m,e) ~ 



m 

It is possible that in concrete QKD systems there are faster ways for generating keys with the 
parameters (m, e) than generating much longer keys with the same security degree. But the value 
V(e)/m gives the guaranteed key refresh rate. 

If V(e) = oo, then arbitrarily large key refresh rates are achievable by the proper (large enough) 
choice of 777,00 • 

Now consider the general case where T = T{m, e, 7, mo, Eq) (7 is fixed as before). Now Alice and 
Bob must have an external pair of keys in order to generate a pair of longer keys. So, the key refresh 
rate 

R{m,E,m ) = — — 

T(m,e,7,m , 1) 

has an additional parameter: the length of initial (external) keys m , i.e., the length of the perfectly 
secure keys that Alice and Bob must have before the QKD session in order to generate the keys with 
the length m and the security degree e. Smaller mo is more desirable, but it can decrease the key 
generation rate. For example, some security degrees becomes unavailable (i.e., the key refresh rate 
falls to zero) when the length of the external pair of keys becomes too small. Or more rounds in the 
authentication protocol [31], which require additional time, are needed in order to generate keys with 
the same security degree, but having the external pair of keys with a shorter length. 

So, R(m,£,mo) = r times/second means that Alice and Bob using the QKD system can refresh 
r times per second their keys with the length m and security degree e, and before each refreshing 
they must have for that at the average mo bits of the perfectly secure external keys (if the external 
keys are not perfectly secure, then they must be longer than m ). 

Now in order to define the key generation rate we should take m — > 00 and m — * 00 so that 
— = D = const. The amount D we will call external key consumption rate. Thus, in this case the key 
generation rate depends on two parameters: the security degree e and the external key consumption 
rate D. Since mo = |_Z?r77.J , where |_^J denotes the floor of the real number x, i.e., the nearest to x 
integer from below, we define the key generation rate as 

m 

V(e,D)= lim — — , . . 

v ' ; m->oo T(m,e,7, [Dm\,l) 

Knowing m, mo and V(e, —) one can calculate R(m,e,mo) by the formula 

Vie ^) 

R(m,e,m ) « y ' m ' (1) 
m 

Of course, it makes no sense to decrease the security degree to 0, or to increase the external key 
consumption rate to 1 or greater (in the first case the optimal way for Alice and Bob is to generate 
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two keys independently, in the latter case the optimal way is to use the external pair of keys for the 
direct purpose instead of generation a pair with a shorter length). So, the domain of the function 
V(e,D) is < e < 1, < D < 1. 

By implication, V is a continuous function on its domain, a non-increasing function of e and a 
non-decreasing function of D. 

3.4.3 Upper bound of security degrees 

One more important functional characteristic of QKD system is the upper bound of the security 
degrees which can be achieved with the given external key consumption rate. It can't decrease as 
external key consumption rate D increases. We define this function E max {D) of D, < e < 1, by the 
following formula: 

e max (D)=mm{e\V(e,D) = 0}. 

By implication, e max is a continuous function on its domain and a non-decreasing function of D. 

Since there is the security degree among the arguments of the functions T and V, it is necessary 
to point out the class of attacks (see subsection 12. 4j) relative to which the keys have the declared 
security. 

In view of the key degradation problem (see subsection 12. 5|) we will distinguish the systems with 
one-time and permanent external key consumption. Formally, we will say that the system needs 
maximum one-time external key consumption (no key degradation problem), if V(e,D) = const 
when e is fixed (hence, e max (D) = const). Otherwise we will say that the system needs permanent 
external key consumption. 

3.5 Numeric engineering and end-user characteristics of QKD sys- 
tems 

Thus, for engineering description of the QKD system we have proposed the functions 
T = T(m, e, 7, m , £0), V(e, D), e max (D). 

It is worthwhile to simplify these functional characteristics to a set of numerical characteristics 
of QKD systems which may be useful both for engineers and end-users. So, there is a problem to 
choose a set of numbers which good describes the functions. 

3.5.1 No key degradation case 

At first, we consider the simple case of one-time external key consumption rate, i.e., 
V(e, D) = V(e, 0) = V(e) and e max (D) = MAXS = const. 

It is clear that we are interested in the generation of keys with at most achievable security degrees. 
We are not interested in the behaviour of the function V(e) in the area where e is close to zero. So, we 
must choose some numerical characteristics of the function V(e) which concerns with the interesting 
area. 

First, we are interested in the upper bound MAXS of the achievable security degrees. By continuity 
of the function V, V(MAXS) = 0, so we can generate keys only at rates smaller than MAXS. But 
there is a difference how fast increases the rate as the security degree decreases from MAXS. In 
order to characterise this we approximate the function V(e) by its tangent in the point MAXS and 
introduce the marginal increment of key generation rate (MIR) 

wm dV(e) 
MIR = 

d £ e=MAXS 
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where the derivative is left-sided (since V(e) hits zero in MAXS, this point may be salient). Since 
V(e) is a non-increasing function, dV(e)/de < and MIR > 0. So, key generation rate with the 
desirable security degree of the pair of keys e is approximately calculated by 

V(e) w MIR(MAXS -e). 

Vice versa, the security degree of the pair of keys generated at a given rate V is calculated by 

V 



e(V) « MAXS 



MIR' 



So, in this simple (but practical) case, we need only two numbers in order to approximately 
characterise a QKD system: the marginal security degree MAXS, < MAXS < 1 and the marginal 
increment of key generation rate MIR, < MIR < oo. If a QKD system has greater MAXS and MIR 
than another one, then the first QKD system is better because it allows to generate more secure keys 
at higher rates. 



3.5.2 The general case 

Now we consider the general case. We are interested in the key generation with the maximal 
security degree and the minimal external key consumption rate, i.e., in the area where e is close to 
1 and D is close to 0. But the difficulty is that e(0) can be far from 1 and this is an unacceptable 
variant. So, the user have to find compromise values of e and D. 

The value that characterise the quality of the QKD system is the minimal achievable distance of 
the curve e max (D), < D < 1, to the point (e — 1, D — 0): 

DIST= min a/ a(e max (D) — l) 2 + bD 2 

0<D<1 

where a > and b > 0, a + b = 1, are some fixed coefficients. For example, one can take a = b = 0.5. 
But it may be useful to set a and b so that a > b, because the security degree and the external key 
consumption rate are not equivalent amounts. For example, D = 0, 1 (i.e., on each 10 bits of the 
new keys one have to spend 1 bit of the external keys) may be acceptable, but the security degree 
£ = 1— 0,1 = 0,9 may be too small. If a > b, one pay larger penalty for the distance e from 1 than 
for the distance D from 0. Optimal values of D and e with respect to this distance we denote by D* 
and e* = e max (D*). These values can also be used as a characteristic of the QKD system: these are 
the parameters at which key generation is optimal. 

But V(e*,D*) = by definition of the function e max (D) and continuity of the function V(e,D). 
As in the case D = 0, we have to introduce a characteristic showing how fast the key generation rate 
increases when e decreases from e* and D remains constant. We define marginal increment (MIR) of 
key generation rate as 

dV(e,D) 
MIR = ^ — '- 

OS (£*,£>*) 

where the derivative is left-sided. 

We are also interested in the ends of the function e max (D). Consider the right end. There are two 
possibilities for: either e max (0) > or E max {ti) = 0. In the latter case, define 

D min = mf{D\e max (D) > 0}. 

Of course, the first case is more preferable than the second one. In the first case, it's possible to 
generate pairs of keys with some security degree without external key consumption. In the second 
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case, the external key consumption rate can't be smaller than D min even if we want to generate a 
pair of keys with very small security degree. We define the quantity 



SOC 



'Dmin, if D m i n > 
^max (0)? if D m i n 



which we will call the security degree of the pair of keys without the external key consumption. 
Negative SWE corresponds to the second case where the external key consumption rate can't be 
smaller than some value (—SWE). 

Similarly analyse the right end of the function e max (D), i.e., 

def 

£max(l) = hm e max (D). 

There are also two possibilities: e max (l) = 1 or e rnax (l) < 1. In the first case, define 

D max = mm{D\e max (l) = 1}. 

The first case is more preferable than the second one. In the first case, it is possible to generate 
keys with the security arbitrarily close to perfect with external key consumption rate less than the 
amount D max < 1. In the second case, the security degree can't be larger as e max (l) < 1 even if the 
external key consumption rate is very close to 1. We define the quantity 



GMC 




(1)), if e max (l) < 1 
if e max (l) = 1 



which we will call the gain at the maximal external key consumption. 

Thus, we obtain six characteristics of the QKD system with the external key consumption: DIST, 
£*, D*, MIR, SOC and GMC. 

Approximately the key generation rate in a point (e, D), e < e max (D) is given by 

V(e,D)^MlR(e max (D)-e) 

It is assumed that the user generates the keys with the parameters near the optimal point (e*, D*), 
so e max (D) ss e max (D*) = e*. And the user knowing the above numeric characteristics can approx- 
imately (rather rough) calculate the key generation rate in a point (e,D), e < e max (D), by the 
formula 



V(e, D) S3 MIR(e* — e) (2) 

Vice versa, the security degree of pair of keys generated at a given rate V and external key consump- 
tion rate D is calculated by 

e(V,D) sd £ * - 
v ' ; MIR 

D* is an approximate value of the external key consumption rate, if the user generates the keys 
in a point near the optimum. SOC and GMC don't participate in these approximations, but they 
characterise the potential abilities of a QKD system. And DIST is an index of quality of a system. 

Consider the simple case of no external key consumption from the point of view of the general case. 
It was said before that V(e, D) = const, when e is fixed, and e max {D) = const = MAXS. Evidently, 
D* = 0, e* = MAXS = SOC and DIST = 1 - MAXS. GMC = -(1 - MAXS), if MAXS < 1, and 
GMC = 1, if MAXS = 1. The quantity MIR coincides with the same quantity that we defined for 
the simple case. Thus, one can use these characteristics for both the general and simple cases. 
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3.6 The list of characteristics for the specification 

Of course, besides these numeric characteristics the user must know about the assumptions about 
the adversary and the distance within which these characteristics are valid. Finally, we propose the 
following list of qualitative and quantitative characteristics which can be included in the specification: 

(i) The assumed degree of the adversary's mastering of quantum technologies: incom- 
plete/complete 

(ii) Method of providing with the authenticity of the classical channel: technological/mathematical 

(iii) The assumed adversary's computing power: limited/unlimited 

(iv) Distance from the ideal DIST (variation interval is [0, 1), dimensionless value) 

(v) The optimal security degree e* (variation interval is (0, 1], dimensionless value) 

(vi) The optimal external key consumption rate D* (variation interval is [0, 1), dimensionless value) 

(vii) Marginal increment of the key generation rate MIR (variation interval is (0, oo) bit/sec) 

(viii) Security degree of the pair of keys without the external key consumption SOC (variation interval 
is (—1,1], dimensionless value) 

(ix) Gain at the maximal external key consumption GMC (variation interval is (—1, 1], dimension- 
less value) 

(x) The distance within which these characteristics are valid (km). 

Larger value of each of the numeric characteristics (except (iv)) is preferable. In the first three 
(qualitative) characteristics the second value is preferable. 

It is assumed that the producer of the QKD system has to give to the engineer the functions t, 
V, e max (analytical formulas or graphics) and characteristics 1 - 10. To the end-user the producer 
has to give characteristics 1-10. 

The present-day commercial quantum cryptography solutions have the encryption systems (AES 
and 3DES) attached to the QKD systems. The security of these encryption protocols when the 
keys are perfectly secure is a problem of conventional cryptography, but the above (or similar) 
characteristics about the security of keys and key generation must be given. 

In subsection IH.HI we have introduced three characteristics for the simplest case: security degree 
e, length of keys m and key refresh rate R. Length of keys m drops out since m is not a constant 
any more: in the general case the user can choose any m. Security degree e is also not a constant any 
more, but some information about the values that e can have is given in characteristics (iv) and (v) 
(in the case of no key degradation problem, these characteristics are equal). R(m,e) as a function of 
m and e, which specifies the user, can be calculated by formulas (0) and fl2J). 

For the end-user ten characteristics may be too many and it's necessary to reduce the number 
of characteristics. Firstly, some of the above characteristics may be equal for all or for a very wide 
class of the QKD systems and will be eliminated. Secondly, some of these characteristics may be for 
engineers rather then for end-users. In our opinion, characteristics (i)-(iv), (vii) and (x) (i.e., three 
qualitative and three quantitative characteristics) are most important for the user. 
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Appendix. Definition of the security degree of pair of keys 

Definition (see [17, 18]). Let K, be a finite or a countable set, Ka,Kb be a pair of random 
variables (keys) on JC with the joint distribution Pr a ,k b - Let, further, TLabi'He be Hilbert spaces, 
dimTiAB = |A^| 2 , {|&A, kB)}k A ,k B &K be an orthonormal base of TLab- The pair of keys (Ka,Kb) is 
called e-secure relative to the joint (with the adversary) quantum state 
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P = P KAK B (k A , k B )\k A , k B )(k A , k B \ ® p% Atkg G S{7i AB <g> W B ) 



where 
if 

where 



Pfc A ,fc s e S{H E ),k A ,k B e JC, 
S(p,Pideai) <l—e 



Pideal = {^Tj^\k,k)(k,k\ \ ® t P K A K B {k A , k B )pf A> k B ) • 

\fce/c ' ' / \k A ,k B eic J 

Here <5(-, •) is the distance between two quantum states. For arbitrary 0, 77 G 5(H) where 7i is a 
Hilbert space, 



6(0,77) = \\(T-r}\\i = l A l" 

AGspcc(<T— 77) 

Let <Y be a finite set. The variational distance between two probability distributions (classical 
states) P and Q on this set 



WQ) = ^|P(x)-Q0r)| 



2 

is the classical analogue and a particular case of the above distance between quantum states. 

For the distance S(-, •) the following properties are satisfied. TC,TC' are arbitrary Hilbert spaces 
and 0, 77 G S(H), a',r]' G S(TC') are arbitrary states. 

(i) 

5 (a <g> cr', 77 <g> 77') < 6(0, 77) + 6(0', 77') 

with equality if er' = 77'. 

(ii) For arbitrary function (quantum operation) £ on S(T~i) 

8(£(a),£( V ))<8(a, V ) 

As a particular case, if H = Hi <S> H2, cr = a± ® 2 , 77 = 771 <g> 772, 01, 771 G 7Yi, cr 2 , 772 G 7Y 2 and 
£(cri ® cr 2 ) = 01, ^(771 ® 772) = 771, then 

5(cri, r/i) < ^(o-i <g> 2 , 771 <g> 772). 

It implies that we can divide the pairs of keys into shorter pairs of keys with the same degree 
of security (see subsection 12. 2|) . 

(iii) Consider the probability distributions P and Q of the outcomes when the same measurement 
to and 77, respectively, is applied. Then 

S(P,Q)< 5(0,77). 
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